My Path into Cyber Security

How I got over the Experience Wall

Stuart's new venture! is a website where people looking to gain the knowledge and skills required to develop great security policies for use in certifications including SOC 2 & ISO 27001

At the initial close down of society in March 2020 due to CoronaVirus; I found myself looking down the barrel of the furlough shotgun. Worried about how long would the company keep furloughed employees on the payroll. They were not allowed to utilise me but still had to pay for 80% of my wages. This left me with a feeling of impending doom. Having served for over nine years in the British Military, I consider myself to be fairly resilient and capable of overcoming all but the most difficult of problems. You see, I'm a problem solver, I look for solutions and opportunities where others only see the brick wall in front of them. Finding ladders is my specialty, the main problem in the way I work is finding a ladder of the correct length for the problem at hand. I tend to climb the ladder before checking to see if it’s long enough. My career was in Physical Security, guarding licensed premises and entertainment venues. This was paying for life while training in the field of outdoor education.

Volunteering with the UK's largest Woodcraft and Survival school on an unpaid apprenticeship for five years, learning how to teach survival and woodland skills such as foraging, bow making, advanced shelter building, and tracking of wild animals. Tracking was a subject that was easy to fall in love with. Spending many hours out in the woods looking at the evidence animals leave behind. This love saw me travel to South Africa twice to study under the watchful eye of one of the world’s most senior trackers. Participating in the conservation of keystone species such as the Rhino, Elephant, Lion and critically endangered vultures. Learning about the challenges they face, the methods used to protect them and building education in the local communities. My passion for the outdoors was the driving factor for taking on this apprenticeship but having a realistic head on my shoulders, the future was not looking financially viable for a career in this field in Scotland. We have the Outdoor Access Code which gives everyone the right to access land they do not own, for recreational purposes. In countries such as England, they do not have this right and must pay for access. This means educational courses that give access to land for recreational purposes are in far greater demand, where this right does not exist. For me, this meant that I required an additional source to supplement any income I would receive in outdoor education.

Covid 19 came smashing through the country and all recreational education courses came to a grinding halt. The whole situation made me rethink my future; What career field is in demand? Where could I get training? Can I do it on a budget? Would this secure my future? So many questions firing around in my brain, I needed to use my time wisely, research potential new routes and options available to me. On the second day of furlough, sitting at home with the laptop open. I scrolled past an advert for a HNC in Cyber Security, I kept scrolling. Then it hit me, "I could get a job in Cyber Security!" Looking back through my feed, it came back into view. The advert was from a former instructor, who had taken me through the licensing for Physical Security and CCTV Operator a number of years prior. It stated they had received funding from the Scottish Government to provide access to education and a Higher National Certificate in Cyber Security for people who are under-employed. To qualify, all that was required was to tick two boxes from a list of under-employed sectors of society. As a Military Veteran on a low income, I qualified and decided to contact my former instructor. For those of you not in the UK, a HNC is two levels below a Bachelor’s Degree and normally the first qualification received at any University in the UK.

Within three days, my spot on the course was secured and I immediately got stuck into the content of the modules. There were 8 different modules, all relating to different areas of Computer Science and Cyber Security. Starting off with Computer Architecture and Networking, moving on to Digital Forensics, Penetration Testing and Professional Ethics. The requirements were tough! This level of education was far beyond what I had experienced prior to this stage in my life. I was used to being given all of the content required for a subject and going away to remember it before being assessed. This was different, we were expected to receive the basics of the subject and to research it to an advanced level. I did struggle with this. We were never given a clear roadmap for the requirements of the actual assessments. Often they asked questions as if they had been plucked out of thin air by the assessor. Having plenty of time on my hands enabled hyper focus, with the support of my tutor and personal grit I progressed to the final exam four months later. My results came through and I had passed with an 'A' in the graded exam. This blew my mind! Having never wanted to progress into higher education, this possibility was beyond my expectations. I've always been clever but never focused on furthering my education as an adult. Where could I go from here? Should I do a degree? Do I go for a job? I settled for trying to find a job and would look at a degree further down the line if my career required it. I wanted out of my current job and didn't want to wait around for a few more years while studying.

Receiving a call from my boss; the position was now required again and I should return to work. This helped with my finances but it wasn't the job I wanted. I would look for employment within the Cyber Security field and apply for as many jobs as I had recently qualified for. Looking through the job descriptions on job boards filled me with disappointment. After signing up for this course and putting so much effort into getting a good grade and attaining as much knowledge as possible, I thought I'd land a job straight away. There was after all a skills gap and 3.1 million empty Cyber Security positions across the planet. The vast majority of Cyber Security jobs required certifications and lots of experience. Researching the field a little further (Something I should have done at the very start) I found that the very basic level of a Cyber Security job required CompTIA Security+ and slightly more senior jobs required actual certifications in each specific area of Cyber work. Of the thirty six jobs I applied to; I received only two interviews. I hit a brick wall with these as they wanted someone who had more experience, even though these were basic level desktop support and network infrastructure jobs with the local council. In this case, my ladder was not the correct one.

Having watched a great deal of Cyber Security content on YouTube while researching subjects for my course, I found a vast array of information on Networking in Technology and Cyber. These videos were stating that one of the best ways to get a Cyber Security job was to build your network on social media platforms such as LinkedIn. There was a challenge to get one thousand meaningful connections on the business social network. Loving the challenge, I focused my energy on in my spare time to build my network. Connecting with industry leaders, hiring managers, cyber security content creators and professionals from across the globe. It was eye opening! I found a whole new route into Cyber and the brick wall began to look a little less tall. One of the best things about this process was networking with other students. Being able to bounce ideas off others and giving help to them where I could.

I wanted to be a penetration tester, like everyone does; it's a cool and exciting job, paid very well and I'd get to be a hacker! Understanding this was a deeply skilled field and required further training, I set out with a renewed enthusiasm but level head. I was Looking for budget training courses on CompTIA Sec+ and eventually found a course on an online training platform discounted to £30, a price I could afford. I signed up and began working through. Taking methodical notes and cramming as much into my head as I could. As a basic course, it's not a very deep level of knowledge but it was vast! The content was nineteen hours of videos and each video was normally around the four or five minute mark. From starting the course to receiving a passing grade on the exam, it took three months. Having to fit learning in while working twelve hour shifts was a struggle but taking the ladder a step at a time helped me see the top of the wall fairly quickly.

During the course I learned about Governance, Risk Management and Compliance (GRC). This sparked my interest, as a potential route into Cyber that I had not previously thought about. My background in the military had been in the administration of hundreds of personnel. Policy and Procedure writing had been one of my main tasks. I had enjoyed that and was fairly good at it. Not being a touch typist might have made me slower than some but my skill on a keyboard wasn't too bad. Digging deeper into regulations such as NIST, ISO 27001 and EU GDPR opened my eyes further. For my current job in CCTV Operations, knowledge of the UK Data Protection Act was required. The DPA was the UK's version of EU GDPR and I could relate that knowledge to these different security frameworks! I just found my ladder into Cyber.

Being a member of British Military Veterans group "TechVets", gave me access to some excellent training resources such as Immersive Labs and numerous vendor specific career training paths. Unfortunately they didn't have anything GRC related for further certification however they did point me in the direction of a company who provided free training in ISO 27001 and EU GDPR. All I would have to do is pay for the exams. This I could do! I signed up for the ISO 27001 Foundation course and EU GDPR. This ladder felt like the correct selection for me. Finally a route I think is within reach and I can utilise my previous experience to help get a job. I applied for as many GRC jobs as I could. Receiving invites to interview from six companies, including a global shipping company and a tech start-up.

One of the companies was local to me, had a great platform and looked to suit my ethics and ethos. I was super excited to have been asked to carry out an assessment of my skills as a second stage of the application process. The task was to set out a plan of how I would take a fictional company through ISO 27001 certification. They asked for us not to take longer than two hours to put together a document showing our process. After eight hours of studying and writing, my submission was complete. I had gone way over the top, writing 8 pages of information on how I would take the company through its certification. We went through my submission in the 3rd stage interview. The answers on this subject were great and I was confident of an impending job offer. A couple of days later, a new email notification popped up on my phone. We regret to inform you that you were not selected for the position...... I was gutted. The company had chosen to go with someone who had more experience than me. They provided the following feedback:

“Your consideration towards the take-home task was genuinely astounding.”

“We remain convinced that you would be an absolute joy to have in any organisation.”

I absolutely blew them away with my personality, determination and knowledge but they chose to go with someone else because of my lack of experience. Yet again, my ladder was too short. I needed a few extra rungs there. It is the right ladder, it just needs to grow! How was I going to get this experience if nobody would give me a chance to prove myself?

It was at this stage when I was assaulted at work by an aggressive man, who was high on drugs. He had been disturbing customers at one of the venues on my site. I was asked to attend to help keep him from hurting or disturbing anyone else until the police arrived. I arrived at the venue to provide assistance and the man was already outside. My presence at the venue entrance would hopefully be enough to prevent any further issues. It was not, and he tried to make entry three further times before assaulting me. I defended myself and knocked him down with a sharp punch to the jaw. I attempted to restrain the man but he was like a bucking bronco. His grip on my wrist prevented me from gaining total control until I was assisted by the venue manager a few moments later. The police arrived nine minutes later and arrested him. Before being taken away, he accused me of putting a spell on him. I may be magic, but I am no wizard.

My feelings at this point were that I needed to put all of my energy into gaining my first cyber role. Physical Security can be risky and with a number of incidents involving knives on site in recent weeks, I was not enjoying the prospect of staying there. Covid restrictions had begun to ease and I had been going back out to teach on woodland courses. Each of these was 42 hours long and took place from Friday until Sunday afternoon. The Friday morning after the attack, prior to the start of a weekend course, I was struggling. The stress of the attack, the pressure of finding a job and the thought of having to teach at the weekend was all too much. I contacted the course lead and said I couldn’t attend, I needed to rest and recover. After a short period of reflection, I stepped down as an apprentice instructor to focus all of my energy on gaining my career in Cyber Security. The following week I filled out many applications to Cyber GRC jobs for remote companies based anywhere in the world that were looking for someone with my qualifications and certifications.

Posting on LinkedIn about my stepping down from the apprenticeship was a pivot point for my efforts. A previous instructor of mine reached out and asked for advice on keeping his personal and business data safe. A light bulb went off in my head! I could offer advice to super small businesses, help them with their Cyber Security and hopefully use that experience to help in job interviews. I produced two documents, the first was a nine page document of business privacy essentials and the second was a seven page document for personal privacy essentials. This spurred me on to make a website and LinkedIn page to advertise that I was offering Consultancy Services to small businesses. I reached out to my network and spoke with a Head of Cyber Sales Consultant about my documents and asked if he would check them over. He did and gave me some advice on how I could use them to sell myself as a consultant.

After building the website: and using my spare time to build my brand, update my profiles, posting regularly about security frameworks with tips on how to learn them quickly, giving free training and career advice to people on lower rungs of the ladder than me. I was contacted by the Sales consultant who asked if I would meet with the CEO of the Penetration Testing Business he worked for. He had been impressed with my story and the efforts I had been putting in. He offered me the chance to help him take his company through Cyber Essentials, a security framework for businesses here in the UK. I agreed and spent the few days taking his company through a gap analysis that I had created for the framework.

We got the business ready for certification and the next day I was offered work on one of their contracts. A financial services company from the USA was going through certification in FFIEC and they needed help with the documentation. I had never heard of FFIEC before and was required to teach myself the requirements. A couple of hours later, I reviewed the documentation the company had produced. It was a gap analysis document but they had nothing to point it to. I set out a plan to produce a template which could be used to provide twelve mandatory documents for the ISO 27001 which would help frame the company’s application for certification in FFIEC. Within ten hours and the help of his team, we had twelve documents that could be used to provide the initial package to the client.

I was paid for my work and this made me very happy! I had taken myself from Student to Consultant in Cyber Security GRC by thinking outside of the box, finding the right ladder to the right problem. Producing the results when required and blowing the mind of the CEO who asked me for help. These are his words: "I have worked with Stuart on 2 compliance projects now. He has always been very responsive and has a strong understanding of compliance requirements. The 2 projects I came to him with were both on very short notice and very different in scope. He was able to understand my requirements quickly and jumped into action. I am very happy to recommend Stuart for all compliance related work. He is approachable, professional and a pleasure to work with."

I had started to make waves in the industry. Students were reaching out to me for advice and I was always happy to help. I was holding space for people to ask questions about Cyber Security training and requirements at online networking events. I liked helping people and knowing that all of this activity is going to get me noticed; I was happy to put in the extra effort. Each extra task I set myself was adding extra rungs to my ladder. The more things you do, the higher your ladder goes. Proof of this concept arrived with a direct message from the Head of Compliance at a large Cyber Security consultancy based in the UK. Asking me about my compensation requirements and giving me advice on additional courses to take. He was looking to build out his team but didn't currently have the approval to hire additional people. The fact that an influential hiring manager was reaching out to me, cemented the concept in my mind as the right way to do things. More than fifty percent of tech jobs are offered in non-conventional ways. The traditional method of sending in a CV/resume to the HR department or filling in an application form on the company website do still work, however it is much easier to get the hiring manager's attention if someone has recommended you or they reach out to you directly. My plan was to do as much of this Networking, building my brand and boosting my visibility as I could.

Back to the day job, I was involved in another confrontation. Being a stoic professional is hard when someone is screaming in your face. This time it was with a temporary guard who I had asked to do some tasks. He flat out ignored my request and had a temper tantrum when confronted about his attitude to completing the tasks set over him. Obviously I remained professional at all times and called in the site manager to deal with the incident. This however was the straw that broke the camel’s back for me. For over five years I had worked as a Door Supervisor or Security Officer in the City Centre of Edinburgh, the capital city of Scotland. While being inherently beautiful, it can be pretty dangerous for security personnel. There are deprived areas within Edinburgh and the youth crime within the city is at a concerning level. I mentioned above the recent knife incidents; the level of knife crime in Edinburgh is high. There are many students who live here, with a lively nightlife, the confrontations are regular. I have been pushed, verbally assaulted, milkshakes thrown at me, and attacked for no reason, without even having interacted with my attacker prior to being attacked. The worst incident by far was when a drunk teenager attempted to set a firework off in my face. The police failed to arrive and I had no support from my management team in response to this incident.

I felt under siege; like a castle wall being pounded by cannon fire. My bricks were being smashed away one at a time. I didn't know when the wall would finally crumble. I broke down, tears filling my eyes as I drove from my home to start my twelve hour shift, dealing with drunks, drugged up homeless people or aggressive temporary guards. I could no longer face the danger or the stress of it all. I attended that shift but went home sick when the next officer arrived. I would spend the next few days in a slump. Not knowing if I could face going back, my doctor agreed I needed time to recover and reformulate my plan to change my career. My time as one of the best door supervisors in Edinburgh was over.

While this was not a great position to be in; struggling with the mental stress of the entire situation, it did present opportunities. I would only receive Statutory Sick Pay for my time off which was £96 per week. The money from the FFIEC job was due to arrive in a couple of weeks and I did have savings. Not too worried, I trusted in my ability and my drive to get work. I was not well mentally but the problem was with the dangers from working in Physical Security, not working in safety behind my computer. My employer did provide a counselling service and I would use this to help with my recovery.

Looking for ways of finding Consultancy work, I was advised by people on my network to sign up with online sites such as Fiver and UpWork. I created profiles and began bidding for contracts I could complete online, working from home. It was at this stage when I received an email, inviting me to an informal chat from a recruiter that had read my application to an open Security Analyst job that had become available. I probed the sender, "Is this an interview or a pre-interview filter?" The response was that it was a bit of both; we set a time for the call. The questions were easy; "Tell me about yourself?", "What are your compensation requirements?" I told the interviewer my background and made sure to include the details of the recent compliance work, and that I had set up my own consultancy to get the experience required to prove to employers that I am capable of working in the GRC Field of Cyber. The conversation went well and she said I would get an invite for an interview with the Hiring Manager.

The second stage interview was conducted over Microsoft Teams on webcam. Again this was very easy! We had good interactions and I gave really good answers to the questions. I was invited for a third stage interview with the Hiring Manager's boss and the Head of Quality and Regulatory Affairs. They would ask me some probing questions on my consultancy and why I set it up, and they tested me on my compliance experience. I gave really good answers and utilized my recent experiences from the Cyber Essentials and FFIEC Contracts. When I finished answering the last question, I asked the Head of Q&RA if my answer provided enough detail and she said "I'm smiling". I took this as a great sign.

I would receive the heads up from the hiring manager less than an hour after the final interview that the job was mine if I wanted it! To say I was happy was an understatement. Nearly two years of relentless studying, networking, additional efforts and over one hundred job applications had finally landed me a superb job in the field of work that I had been working towards. When the offer came in, it was in excess of my requirements by a great deal. A sure sign that my efforts had impressed and that they really wanted me as part of the team. I accepted the offer and I am now the new Security Analyst (Policy and Procedure Writer) within the Information Security Operations team of global software giant Infor.

If you are struggling to find a job in tech or are looking to progress your career; Build your Personal Brand! Build your Network! Interact with other professionals' content! Create your own content! Help others in their journey! If you do these things and do them relentlessly, you will make waves! You will find the correct ladder! Put in that extra effort and you too can land your dream job!

My website has received a facelift and is now a platform to help others find the information they need to boost their profile and land their dream job. Please visit if you need direction to Cyber Training or help with landing that dream job. I am also contactable on LinkedIn where I continue to provide advice and training tips.

Thank you for reading,

Stuart W

Security Policy and Procedure Writer

Stuart W

Certified Policy Management & GRC professional

A highly motivated and innovative information security professional, specialising in the reduction of human risk through the development and implementation of targeted enterprise security policies. Utilizes expert policy writing and security framework knowledge to reinvigorate policy management, enhance enterprise risk management programs, and translate technical security concepts into easy reading.

Begining in the military gained a detailed understanding of security within the physical and the InfoSec realms. He now utilizes over 15 years of experience to help businesses protect their employees, customers, and intellectual property.